Skip to content

Latest commit

 

History

History
32 lines (25 loc) · 2.43 KB

vulnerability_scanning_policy.md

File metadata and controls

32 lines (25 loc) · 2.43 KB
Raw

Vulnerability Scanning Policy

Pact is proactive about information security and understands that vulnerabilities need to be monitored on an ongoing basis. Pact utilizes Nessus Scanner from Tenable consistently scan, identify, and address vulnerabilities on our systems as well as OSSEC on all systems, including logs, for file integrity checking and intrusion detection.

Applicable Standards from the HITRUST Common Security Framework

  • 10.m - Control of Technical Vulnerabilities

Applicable Standards from the HIPAA Security Rule

  • 164.308(a)(8) - Evaluation

Vulnerability Scanning Policy

  • Nessus management is performed by the Pact Security Officer with assistance from the VP of Engineering.
  • Nessus is used to monitor all internal IP addresses (servers, VMs, etc) on Pact networks.
  • Frequency of scanning is as follows:
    1. on a weekly basis;
    2. after every production deployment.
  • Reviewing Nessus reports and findings, as well as any further investigation into discovered vulnerabilities, are the responsibility of the Pact Security Officer.
  • In the case of new vulnerabilities, the following steps are taken:
    • All new vulnerabilities are verified manually to assure they are repeatable. Those not found to be repeatable are manually tested after the next vulnerability scan, regardless of if the specific vulnerability is discovered again.
    • Vulnerabilities that are repeatable manually are documented and reviewed by the Security Officer, VP of Engineering, and Privacy Officer to see if they are part of the current risk assessment performed by Pact.
      • Those that are a part of the current risk assessment are checked for mitigations.
      • Those that are not part of the current risk assessment trigger a new risk assessment, and this process is outlined in detail in the Pact Risk Assessment Policy.
  • All vulnerability scanning reports are retained for 6 years by Pact.
  • Penetration testing is performed regularly as part of the Pact vulnerability management policy.
    • External penetration testing is performed bi-annually by a third party.
    • Internal penetration testing is performed quarterly.
    • Gaps and vulnerabilities identified during penetration testing are reviewed, with plans for correction and/or mitigation, by the Pact Security Officer.
    • Penetration tests results are retained for 6 years by Pact.
  • This vulnerability policy is reviewed on a quarterly basis by the Security Officer and Privacy Officer.